How To Use A Vprn For A Private Network (Vprn)

Transcription

1 Virtual Private Routed Network Service In This Chapter This chapter provides information about the Virtual Private Routed Network (VPN) service and implementation notes. Topics in this chapter include: VPRN Service Overview on page 1465 VPRN Features on page 1483 IP Interfaces on page 1483 Object Grouping and State Monitoring on page 1494 Subscriber Interfaces on page 1496 SAPs on page 1497 QoS Policies on page 1498 Filter Policies on page 1498 DSCP Marking on page 1499 CE to PE Routing Protocols on page 1502 PE to PE Tunneling Mechanisms on page 1502 Per VRF Route Limiting on page 1502 Spoke SDPs on page 1503 Multicast in IP-VPN Applications on page 1509 Inter-AS VPRNs on page 1531 Carrier Supporting Carrier (CsC) on page 1534 Traffic Leaking to GRT on page 1541 Service Label Mode of a VPRN on page 1544 VPRN Off-Ramp on page SR OS Services Guide Page 1463

2 Configuring a VPRN Service with CLI on page 1557 Common Configuration Tasks on page 1560 Service Management Tasks on page 1581 Page SR OS Services Guide

3 Virtual Private Routed Network Services VPRN Service Overview RFC 2547b is an extension to the original RFC 2547, BGP/MPLS VPNs, which details a method of distributing routing information using BGP and MPLS forwarding data to provide a Layer 3 Virtual Private Network (VPN) service to end customers. Each Virtual Private Routed Network (VPRN) consists of a set of customer sites connected to one or more PE routers. Each associated PE router maintains a separate IP forwarding table for each VPRN. Additionally, the PE routers exchange the routing information configured or learned from all customer sites via MP-BGP peering. Each route exchanged via the MP-BGP protocol includes a Route Distinguisher (RD), which identifies the VPRN association and handles the possibility of IP address overlap. The service provider uses BGP to exchange the routes of a particular VPN among the PE routers that are attached to that VPN. This is done in a way which ensures that routes from different VPNs remain distinct and separate, even if two VPNs have an overlapping address space. The PE routers peer with locally connected CE routers and exchange routes with other PE routers in order to provide end-to-end connectivity between CEs belonging to a given VPN. Since the CE routers do not peer with each other there is no overlay visible to the CEs. When BGP distributes a VPN route, it also distributes an MPLS label for that route. On a SR- Series, the label distributed with a VPN route depends on the configured label-mode of the VPRN that is originating the route Before a customer data packet travels across the service provider's backbone, it is encapsulated with the MPLS label that corresponds, in the customer's VPN, to the route which best matches the packet's destination address. The MPLS packet is further encapsulated with one or additional MPLS labels or GRE tunnel header so that it gets tunneled across the backbone to the proper PE router. Each route exchanged by the MP-BGP protocol includes a route distinguisher (RD), which identifies the VPRN association. Thus the backbone core routers do not need to know the VPN routes. Figure 89 displays a VPRN network diagram example SR OS Services Guide Page 1465

4 VPRN Service Overview CE3 VPN:Red PE CE1 VPN:Red P P CE5 VPN:Red PE P IP/MPLS Cloud P PE CE2 VPN:Green PE CE6 VPN:Green CE4 VPN:Green Figure 89: Virtual Private Routed Network OSSG024 Page SR OS Services Guide

5 Virtual Private Routed Network Services Routing Prerequisites RFC4364 requires the following features: Multi-protocol extensions to BGP Extended BGP community support BGP capability negotiation Tunneling protocol options are as follows: Label Distribution Protocol (LDP) MPLS RSVP-TE tunnels Generic Router Encapsulation (GRE) tunnels BGP route tunnel (RFC3107) 7750 SR OS Services Guide Page 1467

6 VPRN Service Overview Core MP-BGP Support BGP is used with BGP extensions mentioned in Routing Prerequisites on page 1467 to distribute VPRN routing information across the service provider s network. BGP was initially designed to distribute IPv4 routing information. Therefore, multi-protocol extensions and the use of a VPN-IP address were created to extend BGP s ability to carry overlapping routing information. A VPN-IPv4 address is a 12-byte value consisting of the 8-byte route distinguisher (RD) and the 4-byte IPv4 IP address prefix. A VPN-IPv6 address is a 24-byte value consisting of the 8-byte RD and 16-byte IPv6 address prefix. Service providers typically assign one or a small number of RDs per VPN service network-wide. Page SR OS Services Guide

7 Virtual Private Routed Network Services Route Distinguishers The route distinguisher (RD) is an 8-byte value consisting of two major fields, the Type field and Value field. The Type field determines how the Value field should be interpreted. The 7750 SR OS implementation supports the three (3) Type values as defined in the standard. Type Field (2-bytes) Value Field (6-bytes) Figure 90: Route Distinguisher The three Type values are: Type 0: Value Field Administrator subfield (2 bytes) Assigned number subfield (4 bytes) The administrator field must contain an AS number (using private AS numbers is discouraged). The Assigned field contains a number assigned by the service provider. Type 1: Value Field Administrator subfield (4 bytes) Assigned number subfield (2 bytes) The administrator field must contain an IP address (using private IP address space is discouraged). The Assigned field contains a number assigned by the service provider. Type 2: Value Field Administrator subfield (4 bytes) Assigned number subfield (2 bytes) The administrator field must contain a 4-byte AS number (using private AS numbers is discouraged). The Assigned field contains a number assigned by the service provider. eibgp Load Balancing eibgp load balancing allows a route to have multiple nexthops of different types, using both IPv4 nexthops and MPLS LSPs simultaneously. Figure 91 displays a basic topology that could use eibgp load balancing. In this topology CE1 is dual homed and thus reachable by two separate PE routers. CE 2 (a site in the same VPRN) is also attached to PE1. With eibgp load balancing, PE1 will utilize its own local IPv4 nexthop as well as the route advertised by MP-BGP, by PE SR OS Services Guide Page 1469

8 VPRN Service Overview CE2 PE1 VRF IP/MPLS CE1 VRF PE2 al_0155 Figure 91: Basic eibgp Topology Another example displayed in Figure 92 shows an extra net VPRN (VRF). The traffic ingressing the PE that should be load balanced is part of a second VPRN and the route over which the load balancing is to occur is part of a separate VPRN instance and are leaked into the second VPRN by route policies. Here, both routes can have a source protocol of VPN-IPv4 but one will still have an IPv4 nexthop and the other can have a VPN-IPv4 nexthop pointing out a network interface. Traffic will still be load balanced (if eibgp is enabled) as if only a single VRF was involved. Page SR OS Services Guide

9 Virtual Private Routed Network Services CE2 PE1 VRF VRF IP/MPLS CE1 VRF PE2 al_0162 Figure 92: Extranet Load Balancing Traffic will be load balanced across both the IPv4 and VPN-IPv4 next hops. This helps to use all available bandwidth to reach a dual-homed VPRN SR OS Services Guide Page 1471

10 VPRN Service Overview Route Reflector The use of Route Reflectors is supported in the service provider core. Multiple sets of route reflectors can be used for different types of BGP routes, including IPv4 and VPN-IPv4 as well as multicast and IPv6. Page SR OS Services Guide

11 Virtual Private Routed Network Services CE to PE Route Exchange Routing information between the Customer Edge (CE) and Provider Edge (PE) can be exchanged by the following methods: Static Routes E-BGP RIP OSPF OSPF3 Each protocol provides controls to limit the number of routes learned from each CE router. Route Redistribution Routing information learned from the CE-to-PE routing protocols and configured static routes should be injected in the associated local VPN routing/forwarding (VRF). In the case of dynamic routing protocols, there may be protocol specific route policies that modify or reject certain routes before they are injected into the local VRF. Route redistribution from the local VRF to CE-to-PE routing protocols is to be controlled via the route policies in each routing protocol instance, in the same manner that is used by the base router instance. The advertisement or redistribution of routing information from the local VRF to or from the MP- BGP instance is specified per VRF and is controlled by VRF route target associations or by VRF route policies. VPN-IP routes imported into a VPRN, have the protocol type bgp-vpn to denote that it is an VPRN route. This can be used within the route policy match criteria SR OS Services Guide Page 1473

12 VPRN Service Overview CPE Connectivity Check Static routes are used within many IES and VPRN services. Unlike dynamic routing protocols, there is no way to change the state of routes based on availability information for the associated CPE. CPE connectivity check adds flexibility so that unavailable destinations will be removed from the VPRN routing tables dynamically and minimize wasted bandwidth. Server B.1 Static-route A.0/24 nexthop cpe-check interval 1 drop-count 2 Static-route B.0/24 nexthop cpe-check interval 1 drop-count B A.0.2 CPE /31.1 VPRN A Backbone Server A.1 Node A Fig_18 Figure 93: Directly Connected IP Target Server B.1 IC-route A.0/24 nexthop cpe-check interval 1 drop-count 2 IC-route B.0/24 nexthop cpe-check interval 1 drop-count B A / Management CPE /31.1 VPRN A Backbone Server A.1 Node A Fig_19 Figure 94: Multiple Hops to IP Target Page SR OS Services Guide

13 Virtual Private Routed Network Services The availability of the far-end static route is monitored through periodic polling. The polling period is configured. If the poll fails a specified number of sequential polls, the static route is marked as inactive. Either ICMP ping or unicast ARP mechanism can be used to test the connectivity. ICMP ping is preferred. If the connectivity check fails and the static route is de-activated, the SR-Series router will continue to send polls and re-activate any routes that are restored SR OS Services Guide Page 1475

14 VPRN Service Overview Constrained Route Distribution (RT Constraint) Constrained VPN Route Distribution Based on Route Targets Constrained Route Distribution (or RT Constraint) is a mechanism that allows a router to advertise Route Target membership information to its BGP peers to indicate interest in receiving only VPN routes tagged with specific Route Target extended communities. Upon receiving this information, peers restrict the advertised VPN routes to only those requested, minimizing control plane load in terms of protocol traffic and possibly also RIB memory. The Route Target membership information is carried using MP-BGP, using an AFI value of 1 and SAFI value of 132. In order for two routers to exchange RT membership NLRI they must advertise the corresponding AFI/SAFI to each other during capability negotiation. The use of MP-BGP means RT membership NLRI are propagated, loop-free, within an AS and between ASes using well-known BGP route selection and advertisement rules. ORF can also be used for RT-based route filtering, but ORF messages have a limited scope of distribution (to direct peers) and therefore do not automatically create pruned inter-cluster and inter-as route distribution trees. Configuring the Route Target Address Family RT Constraint is supported only by the base router BGP instance. When the family command at the BGP router group or neighbor CLI context includes the route-target keyword, the RT Constraint capability is negotiated with the associated set of EBGP and IBGP peers. ORF is mutually exclusive with RT Constraint on a particular BGP session. The CLI will not attempt to block this configuration, but if both capabilities are enabled on a session, the ORF capability will not be included in the OPEN message sent to the peer. Originating RT Constraint Routes When the base router has one or more RTC peers (BGP peers with which the RT Constraint capability has been successfully negotiated), one RTC route is created for each RT extended community imported (for unicast connectivity) by locally-configured VPRN services. By default, these RTC routes are automatically advertised to all RTC peers, without the need for an export policy to explicitly accept them. Each RTC route has a prefix, a prefix length and path attributes. The prefix value is the concatenation of the origin AS (a 4 byte value representing the 2- or 4-octet AS of the originating router, as configured using the config>router>autonomoussystem command) and 0 or bits of a route target extended community encoded in one of the Page SR OS Services Guide

15 Virtual Private Routed Network Services following formats: 2-octet AS specific extended community, IPv4 address specific extended community, or 4-octet AS specific extended community. A 7750 SR may be configured to send the default RTC route to any RTC peer. This is done using the new default-route-target group/neighbor CLI command. The default RTC route is a special type of RTC route that has zero prefix length. Sending the default RTC route to a peer conveys a request to receive all VPN routes (regardless of route target extended community) from that peer. The default RTC route is typically advertised by a route reflector to its clients. The advertisement of the default RTC route to a peer does not suppress other more specific RTC routes from being sent to that peer. Receiving and Re-Advertising RT Constraint Routes All received RTC routes that are deemed valid are stored in the RIB-IN. An RTC route is considered invalid and treated as withdrawn, if any of the following applies: The prefix length is The prefix length is The prefix length is and the 16 most-significant bits are not 0x0002, 0x0102 or 0x0202. If multiple RTC routes are received for the same prefix value then standard BGP best path selection procedures are used to determine the best of these routes. The best RTC route per prefix is re-advertised to RTC peers based on the following rules: The best path for a default RTC route (prefix-length 0, origin AS only with prefix-length 32, or origin AS plus 16 bits of an RT type with prefix-length 48) is never propagated to another peer. A PE with only IBGP RTC peers that is neither a route reflector or an ASBR does not readvertise the best RTC route to any RTC peer due to standard IBGP split horizon rules. A route reflector that receives its best RTC route for a prefix from a client peer readvertises that route (subject to export policies) to all of its client and non-client IBGP peers (including the originator), per standard RR operation. When the route is readvertised to client peers, the RR (i) sets the ORIGINATOR_ID to its own router ID and (ii) modifies the NEXT_HOP to be its local address for the sessions (for example, system IP). A route reflector that receives its best RTC route for a prefix from a non-client peer readvertises that route (subject to export policies) to all of its client peers, per standard RR operation. If the RR has a non-best path for the prefix from any of its clients, it advertises the best of the client-advertised paths to all non-client peers SR OS Services Guide Page 1477

16 VPRN Service Overview An ASBR that is neither a PE nor a route reflector that receives its best RTC route for a prefix from an IBGP peer re-advertises that route (subject to export policies) to its EBGP peers. It modifies the NEXT_HOP and AS_PATH of the re-advertised route per standard BGP rules. No aggregation of RTC routes is supported. An ASBR that is neither a PE nor a route reflector that receives its best RTC route for a prefix from an EBGP peer re-advertises that route (subject to export policies) to its EBGP and IBGP peers. When re-advertised routes are sent to EBGP peers, the ABSR modifies the NEXT_HOP and AS_PATH per standard BGP rules. No aggregation of RTC routes is supported. Note: These advertisement rules do not handle hierarchical RR topologies properly. This is a limitation of the current RT constraint standard. Using RT Constraint Routes In general (ignoring IBGP-to-IBGP rules, Add-Path, Best-external, etc.), the best VPN route for every prefix/nlri in the RIB is sent to every peer supporting the VPN address family, but export policies may be used to prevent some prefix/nlri from being advertised to specific peers. These export policies may be configured statically or created dynamically based on the support of ORF with specific peers. RT Constraint introduces another mechanism for dynamic modification of export policies. In R10, ORF and RT Constraint are mutually exclusive on a session. When RT Constraint is configured on a session that also supports VPN address families using route targets (that is, L2-VPN, VPN-IPv4, VPN-IPv6, MVPN, MDT-SAFI), the advertisement of the VPN routes is affected as follows: When the session comes up, all L2-VPN, MVPN, and MDT-SAFI routes (subject to manually configured export policies) are advertised immediately, but the advertisement of VPN-IPv4 and VPN-IPv6 routes is delayed for a short while to allow all RTC routes to first be received from the peer. After the initial delay, the received RTC routes are acted upon immediately. If S1 is the set of routes previously advertised to the peer and S2 is the set of routes that should be advertised based on the most recent received RTC routes then: Set of routes in S1 but not in S2 should be withdrawn immediately (subject to MRAI). Set of routes in S2 but not in S1 should be advertised immediately (subject to MRAI). If a default RTC route is received from an EBGP or IBGP peer P1, the VPN routes that are advertised to P1 is the set of VPN-IPv4 and VPN-IPv6 routes in the LOC-RIB that: (a) are eligible for advertisement to P1 per BGP route advertisement rules AND (b) have not been rejected by manually configured export policies AND (c) have not been advertised to the peer Note: This applies whether or not P1 advertised the best route for the default RTC prefix. Page SR OS Services Guide

17 Virtual Private Routed Network Services No MVPN, MDT-SAFI, or L2-VPN routes are sent as a result of receiving the default RTC route. In this context, a default RTC route is any of the following: (1) a route with NLRI length = zero (2) a route with NLRI value = origin AS and NLRI length = 32 (3) a route with NLRI value = {origin AS+0x0002 origin AS+0x0102 origin AS+0x0202} and NLRI length = 48 If an RTC route for prefix A (origin-as = A1, RT = A2/n, n > 48) is received from an IBGP peer I1 in autonomous system A1, the VPN routes that are advertised to I1 is the set of VPN-IPv4 and VPN-IPv6 routes in the LOC_RIB that: (a) are eligible for advertisement to I1 per BGP route advertisement rules AND (b) have not been rejected by manually configured export policies AND (c) carry at least one route target extended community with value A2 in the n mostsignificant bits AND (d) have not been advertised to the peer Note: This applies whether or not I1 advertised the best route for A. No MVPN, MDT-SAFI or L2-VPN routes are sent as a result of receiving the RTC route. If the best RTC route for a prefix A (origin-as = A1, RT = A2/n, n > 48) is received from an IBGP peer I1 in autonomous system B, the VPN routes that are advertised to I1 is the set of VPN-IPv4 and VPN-IPv6 routes in the LOC-RIB that: (a) are eligible for advertisement to I1 per BGP route advertisement rules AND (b) have not been rejected by manually configured export policies AND (c) carry at least one route target extended community with value A2 in the n mostsignificant bits AND (d) have not been advertised to the peer Note: This applies only if I1 advertised the best route for A. No MVPN, MDT-SAFI, or L2-VPN routes are sent as a result of receiving the RTC route. If the best RTC route for a prefix A (origin-as = A1, RT = A2/n, n > 48) is received from an EBGP peer E1, the VPN routes that are advertised to E1 is the set of VPN-IPv4 and VPN-IPv6 routes in the LOC-RIB that: (a) are eligible for advertisement to E1 per BGP route advertisement rules AND (b) have not been rejected by manually configured export policies AND (c) carry at least one route target extended community with value A2 in the n mostsignificant bits AND (d) have not been advertised to the peer Note: This applies only if E1 advertised the best route for A SR OS Services Guide Page 1479

18 VPRN Service Overview No MVPN, MDT-SAFI or L2-VPN routes are sent as a result of receiving the RTC route. Page SR OS Services Guide

19 Virtual Private Routed Network Services BGP Fast Reroute in a VPRN BGP fast reroute is a feature that brings together indirection techniques in the forwarding plane and pre-computation of BGP backup paths in the control plane to support fast reroute of BGP traffic around unreachable/failed next-hops. In a VPRN context BGP fast reroute is supported using unlabeled IPv4, unlabeled IPv6, VPN-IPv4, and VPN-IPv6 VPN routes. The supported VPRN scenarios are outlined in Table 23. Note that BGP fast reroute information specific to the base router BGP context is described in the BGP Fast Reroute section of the 7x50 SR OS Routing Protocols Guide. Table 23: BGP Fast Reroute Scenarios (VPRN Context) Ingress Packet IPv4 (ingress PE) IPv4 (ingress PE) MPLS (egress PE) MPLS (egress PE) IPv6 (ingress PE) IPv6 (ingress PE) MPLS (egress) Primary Route Backup Route Prefix Independent Convergence IPv4 route with next-hop A resolved by an IPv4 route VPN-IPv4 route with next-hop A resolved by a GRE, LDP, RSVP or BGP tunnel IPv4 route with next-hop A resolved by an IPv4 route IPv4 route with next-hop A resolved by an IPv4 rout IPv6 route with next-hop A resolved by an IPv6 route VPN-IPv6 route with next-hop A resolved by a GRE, LDP, RSVP or BGP tunnel IPv6 route with next-hop A resolved by an IPv6 route IPv4 route with next-hop B resolved by an IPv4 route VPN-IPv4 route with nexthop A resolved by a GRE, LDP, RSVP or BGP tunnel IPv4 route with next-hop B resolved by an IPv4 route VPN-IPv4 route* with nexthop B resolved by a GRE, LDP, RSVP or BGP tunnel IPv6 route with next-hop B resolved by an IPv6 route VPN-IPv6 route with nexthop B resolved by a GRE, LDP, RSVP or BGP tunnel IPv6 route with next-hop B resolved by an IPv6 route Yes Yes, but if the VPN-IP routes are label-per-prefix the ingress card must be FP2 or better Yes Yes, but if the VPN-IP routes are label-per-prefix the ingress card must be FP2 or better for PIC Yes Yes, but if the VPN-IP routes are label-per-prefix the ingress card must be FP2 or better Yes 7750 SR OS Services Guide Page 1481

20 VPRN Service Overview Table 23: BGP Fast Reroute Scenarios (VPRN Context) Ingress Packet MPLS (egress) Primary Route Backup Route Prefix Independent Convergence IPv6 route with next-hop A resolved by an IPv6 route Yes, but if the VPN-IP routes are label-per-prefix the ingress card must be FP2 or better for PIC VPRN label mode must be VRF. VPRN must export its VPN-IP routes with RD y. For the best performance the backup next-hop must advertise the same VPRN label value with all routes (e.g. per VRF label). BGP Fast Reroute in a VPRN Configuration Configuring the backup-path command under config>service>vprn>bgp causes only routes learned from CE BGP peers to be considered when selecting the primary and backup paths. Configuring the enable-bgp-vpn-backup command under config>service>vprn causes imported BGP-VPN routes to be compared to CE BGP routes when selecting the primary and backup paths. This command is required to support fast failover of ingress traffic from one remote PE to another remote PE and to support fast failover of egress traffic from a locally connected CE to a remote PE. Page SR OS Services Guide

21 Virtual Private Routed Network Services VPRN Features This section describes various VPRN features and any special capabilities or considerations as they relate to VPRN services. IP Interfaces on page 1483 Subscriber Interfaces on page 1496 SAPs on page 1497 Encapsulations on page 1497 QoS Policies on page 1498 Filter Policies on page 1498 CE to PE Routing Protocols on page 1502 PE to PE Tunneling Mechanisms on page 1502 Per VRF Route Limiting on page 1502 Using OSPF in IP-VPNs on page 1506 Spoke SDPs on page 1503 Multicast Protocols Supported in the Provider Network on page 1512 IP Interfaces VPRN customer IP interfaces can be configured with most of the same options found on the core IP interfaces. The advanced configuration options supported are: VRRP Cflowd Secondary IP addresses ICMP Options Configuration options found on core IP interfaces not supported on VPRN IP interfaces are: NTP broadcast receipt 7750 SR OS Services Guide Page 1483

22 VPRN Features QoS Policy Propagation Using BGP (QPPB) This section discusses QPPB as it applies to VPRN, IES, and router interfaces. Refer to the QoS Policy Propagation Using BGP (QPPB) on page 1210 section on page 1207 and the IP Router Configuration section in the 7x50 OS Router Configuration Guide. QoS policy propagation using BGP (QPPB) is a feature that allows a route to be installed in the routing table with a forwarding-class and priority so that packets matching the route can receive the associated QoS. The forwarding-class and priority associated with a BGP route are set using BGP import route policies. In the industry this feature is called QPPB, and even though the feature name refers to BGP specifically. On SR routers, QPPB is supported for BGP (IPv4, IPv6, VPN- IPv4, VPN-IPv6), RIP and static routes. While SAP ingress and network QoS policies can achieve the same end result as QPPB, assigning a packet arriving on a particular IP interface to a specific forwarding-class and priority/profile based on the source IP address or destination IP address of the packet the effort involved in creating the QoS policies, keeping them up-to-date, and applying them across many nodes is much greater than with QPPB. In a typical application of QPPB, a BGP route is advertised with a BGP community attribute that conveys a particular QoS. Routers that receive the advertisement accept the route into their routing table and set the forwarding-class and priority of the route from the community attribute. QPPB Applications There are two typical applications of QPPB: 1. Coordination of QoS policies between different administrative domains. 2. Traffic differentiation within a single domain, based on route characteristics. Inter-AS Coordination of QoS Policies The operator of an administrative domain A can use QPPB to signal to a peer administrative domain B that traffic sent to certain prefixes advertised by domain A should receive a particular QoS treatment in domain B. More specifically, an ASBR of domain A can advertise a prefix XYZ to domain B and include a BGP community attribute with the route. The community value implies a particular QoS treatment, as agreed by the two domains (in their peering agreement or service level agreement, for example). When the ASBR and other routers in domain B accept and install the route for XYZ into their routing table, they apply a QoS policy on selected interfaces that classifies traffic towards network XYZ into the QoS class implied by the BGP community value. QPPB may also be used to request that traffic sourced from certain networks receive appropriate QoS handling in downstream nodes that may span different administrative domains. This can be achieved by advertising the source prefix with a BGP community, as discussed above. However, Page SR OS Services Guide

23 Virtual Private Routed Network Services in this case other approaches are equally valid, such as marking the DSCP or other CoS fields based on source IP address so that downstream domains can take action based on a common understanding of the QoS treatment implied by different DSCP values. In the above examples, coordination of QoS policies using QPPB could be between a business customer and its IP VPN service provider, or between one service provider and another. Traffic Differentiation Based on Route Characteristics There may be times when a network operator wants to provide differentiated service to certain traffic flows within its network, and these traffic flows can be identified with known routes. For example, the operator of an ISP network may want to give priority to traffic originating in a particular ASN (the ASN of a content provider offering over-the-top services to the ISP s customers), following a certain AS_PATH, or destined for a particular next-hop (remaining on-net vs. off-net). Figure 95 shows an example of an ISP that has an agreement with the content provider managing AS300 to provide traffic sourced and terminating within AS300 with differentiated service appropriate to the content being transported. In this example we presume that ASBR1 and ASBR2 mark the DSCP of packets terminating and sourced, respectively, in AS300 so that other nodes within the ISP s network do not need to rely on QPPB to determine the correct forwarding-class to use for the traffic. Note however, that the DSCP or other COS markings could be left unchanged in the ISP s network and QPPB used on every node. Route Policy: Accept all routes with AS_PATH ending with ASN 300 and set fcto high-1 QoSPolicy: Lookup the destination IP address of all packets arriving on this interface to determine fc Route Policy: Accept all routes with AS_PATH ending with ASN 300 and set fcto high-1 QoSPolicy: Lookup the source IP address of all packets arriving on this interface to determine fc Provider Content Provider AS 300 Peer AS 200 PE 1 ASBR 1 P ASBR 2 Figure 95: Use of QPPB to Differentiate Traffic in an ISP Network OSSG SR OS Services Guide Page 1485